EmergingThreats> Main Web>2006397 (revision 2)EditAttach

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE CURRENT_EVENTS Unknown Proxy Method/Bot Successful Connect Packet Packet"; flowbits:isset,BS.BPset; flow:established,to_server; dsize:16; content:"|9a 02 08 00|"; offset:0; depth:4; flowbits:set,BS.BPcheckin; tag:session; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/2006396; sid:2006397; rev:1;)

Added 2007-07-16 05:16:13 UTC

Bot is using port 80 in an interesting way. Agent makes an outbound port 80 connection, sends a checkin, gets a command back of what IP and port to connect to. Then sends a connection successful type of packet, then streams whatever the controller sends trough the agent.

Initial packet from the agent looks like so:

24 bytes

09 02 06 00 25 ab 3f .....

Agent replies with:

10 bytes

9a 02 07 00 xx xx xx xx 00 yy

the x's are the IP to connect to, y being the port

Agent then makes the connection and replies wth something like:

16 bytes

9a 02 08 00 00 00 ...

The agent then started proxying the connection direct between controller.

More info as I get it


-- MattJonkman - 16 Jul 2007

Edit | Attach | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r2 - 2007-07-16 - MattJonkman
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats